Sigfree: A signature-free buffer overflow attack blocker

Xinran Wang, Chi Chun Pan, Peng Liu, Sencun Zhu

Research output: Contribution to journalArticle

14 Citations (Scopus)

Abstract

We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown buffer overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.

Original languageEnglish (US)
Article number4522563
Pages (from-to)65-79
Number of pages15
JournalIEEE Transactions on Dependable and Secure Computing
Volume7
Issue number1
DOIs
StatePublished - Jan 1 2010

Fingerprint

Internet
Data flow analysis
Web services
Servers
Costs
Experiments

All Science Journal Classification (ASJC) codes

  • Electrical and Electronic Engineering

Cite this

@article{c12fe7644a2143299ac97e3ff78d71cc,
title = "Sigfree: A signature-free buffer overflow attack blocker",
abstract = "We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown buffer overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.",
author = "Xinran Wang and Pan, {Chi Chun} and Peng Liu and Sencun Zhu",
year = "2010",
month = "1",
day = "1",
doi = "10.1109/TDSC.2008.30",
language = "English (US)",
volume = "7",
pages = "65--79",
journal = "IEEE Transactions on Dependable and Secure Computing",
issn = "1545-5971",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "1",

}

Sigfree : A signature-free buffer overflow attack blocker. / Wang, Xinran; Pan, Chi Chun; Liu, Peng; Zhu, Sencun.

In: IEEE Transactions on Dependable and Secure Computing, Vol. 7, No. 1, 4522563, 01.01.2010, p. 65-79.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Sigfree

T2 - A signature-free buffer overflow attack blocker

AU - Wang, Xinran

AU - Pan, Chi Chun

AU - Liu, Peng

AU - Zhu, Sencun

PY - 2010/1/1

Y1 - 2010/1/1

N2 - We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown buffer overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.

AB - We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown buffer overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.

UR - http://www.scopus.com/inward/record.url?scp=76949091526&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=76949091526&partnerID=8YFLogxK

U2 - 10.1109/TDSC.2008.30

DO - 10.1109/TDSC.2008.30

M3 - Article

AN - SCOPUS:76949091526

VL - 7

SP - 65

EP - 79

JO - IEEE Transactions on Dependable and Secure Computing

JF - IEEE Transactions on Dependable and Secure Computing

SN - 1545-5971

IS - 1

M1 - 4522563

ER -